Cisco: Our cloud isn’t for snooping on customers’ porn habits.

We told you earlier today about how Cisco is pushing a cloud-based WiFi router management service onto customers of certain Linksys devices—and that to use the service customers must agree to a list of anti-porn and anti-piracy clauses.

The trouble is that for customers with automatic firmware updates turned on, the traditional (and very useful) router management tools available in a Web browser at the address 192.168.1.1 became completely unavailable. Instead, you had to sign up for Cisco’s cloud service, roll back your firmware, or just forget about using advanced router management features.

Cisco has backpedaled tonight, with a blog post saying the service—Cisco Connect Cloud—will no longer be the default management tool. "In response to our customers’ concerns, we have simplified the process for opting-out of the Cisco Connect Cloud service and have changed the default setting back to traditional router set-up and management," Cisco home network VP Brett Wingo wrote.

The company also said it "will not arbitrarily disconnect customers from the Cisco Connect Cloud service based on how they are using the Internet," and that the "Cisco Connect Cloud service has never monitored customers’ Internet usage, nor was it designed to do so, and we will clarify this in an update to the terms of service."

The bottom line is router administrators should be able to turn automatic updating back on without having to worry about losing router administration features. We’d still keep a close eye on it, though, because the blog post leaves some room for doubt.

The part that is slightly iffy says, "If a customer chooses not to set up a Cisco Connect Cloud account, they can manage their router with the current local management software. We are committed to providing both Cloud-enabled and local management software."

That all sounds well and good, but Cisco’s local management tools include an extremely limited piece of software distributed on a disc that comes with routers. Last night, clicking "advanced" features on that software redirected me to 192.168.1.1, which in turn automatically redirected me to Cisco’s cloud.

The Cisco blog doesn’t specify which local management software customers will be able to use going forward. Moreover, instead of updating the firmware again to strip out the Connect Cloud requirement, Cisco is still recommending that customers roll their firmware back to the previous version if they want all the local management tools. So it's not totally clear to us that customers can get future firmware updates and still maintain access to the local, browser-based management console.

I own one of the routers in question—the Linksys EA3500. I rolled my firmware back last night, and turned off automatic updating. Upon reading Cisco’s blog post tonight I assumed at first that I could update to the latest firmware and then verify that the browser-based management console is still active.

But the management console tells me my router software is already up to date. The firmware update that forced Connect Cloud onto customers is still available on Cisco’s download site, so while it still exists, it seems to have been pulled from the automatic update cycle. Even a manual check for updates doesn’t reveal the Connect Cloud update—you have to go to the site to find it.

That seems to indicate that Cisco truly intends to make Connect Cloud an opt-in rather than an opt-out service. But since Cisco’s blog didn’t specifically promise access to the browser-based management console after future automatic updates, we’ve asked the company for clarification and will update this post if we get an answer.

UPDATE: Cisco has told us that going forward the automatic update process will accomodate people who prefer the local, browser-based management console over the cloud service. That's good news, as customers who don't want to use Connect Cloud won't have to choose between their current management setup and firmware updates that could be important.

"If a customer chooses to use the Embedded Web UI and selects the Auto-Update feature, Cisco will offer them an update," Cisco said. "Currently the only update we have is for the Cisco Connect Cloud feature set, but in future, we plan to provide updates for the embedded Web UI feature set specifically. The core message is that a customer can/will be able to choose an embedded web UI and Update without having to use CCC.”

Promoted Comments

Anybody who knows about DD-WRT or Tomato already knows the difference between Broadcom and Marvell.

So, to make my advice from last night complete: 1. Pitch out your Marvell-based Linksys box (or sell it on eBay.)2. Buy something that will run the open-source firmware of your choice.3. Install the open source firmware (really software, but whatever.)

You now have a router for which, at least in theory, you could read the source code. More to the point, you know that other people like you are reading it, so you can be relatively sure the software is free from back doors, automagic updates, and other such nonsense.

Also, I do access my router from the net when I need to enable a service to my home network. (this bulletin goes out to the previous smart guy who thinks he knows network engineering and has never met "anyone" who's logged in to their home router from the outside.).

I also sometimes access my router from the WAN side. However, this goes via a secure encrypted VPN connection to the firewall itself which connects me to the LAN side, from which I then access the router (so to the router it looks lime I'm on the LAN).

However, I would never ever use the remote login facilities that are present in most consumer-grade routers (and this Cisco stuff is consumer-grade hardware, formerly known as 'Linksys') due to the many inherent flaws in their small standard firmwares, and quite frankly no-one with half a brain and at least some basic knowledge about network security would.

I really don't see how CCC even benefits Cisco. a) It will cost them money to maintain the servers.b) If the servers go go down millions of customers will be pissed.c) If they really do collect data about what their customers are doing it makes them subject to a fantastic amount of data protection regulation (especially in the EU) which is expensive when you have to demonstrate compliance to the regulators.

So, yeah. It doesn't benefit customers, and it doesn't benefit Cisco. WTF were they thinking?

They were thinking, if they uploaded the router administration to the cloud they could create apps that manage the device via smartphones and the computer. This would allow them to monetize the commodity product further. Thought being that the technorati would pay 4.99 for an app to administer their phones on the go. Allowing them to squeeze more margin out of the device.

Unfortunately, and thankfully it backfired. Everyone read between the lines, and saw this as a huge invasion. And basically taking away functionality so they could charge more for the same thing.

Cisco just needs to die. They have way to much power over infrastructure. If Microsoft owns the corporate desktop, Google/Amazon the cloud, Cisco owns the networking hardware. And there is hardly anyone to compete with them.

If you have ever delt with them on a corporate level, they are very arrogant, and largely incompetent.

[snip] Did they think they would just sneak this through? Did they think people honestly wouldn't care? ...

My guess is that they thought most of their Linksys-brand customers are "consumers" who never touch their routers, so people would notice only a few at a time. I think they're right. What they forgot was that the rest of their customers for the Linksys brand are us!

Anybody who knows about DD-WRT or Tomato already knows the difference between Broadcom and Marvell.

So, to make my advice from last night complete: 1. Pitch out your Marvell-based Linksys box (or sell it on eBay.)2. Buy something that will run the open-source firmware of your choice.3. Install the open source firmware (really software, but whatever.)

You now have a router for which, at least in theory, you could read the source code. More to the point, you know that other people like you are reading it, so you can be relatively sure the software is free from back doors, automagic updates, and other such nonsense.

I have a Linksys router that has a USB port on the back of it for attaching storage and essentially turning it into a NAS. I imagine this cloud business is just a low cost extension of that. In other words, you could drop media into Cisco's cloud and stream it from devices on your network. That's a pretty cool feature I think.

On the other hand, forcing that update and then including shady language in the terms of service is kind of underhanded. Why should Cisco care about the content of the media I'm storing in their cloud? My guess is that it's an effort to protect themselves from people uploading child porn and pirated content.

Like most things on the internet, I think this was blown out of proportion. Cisco certainly bungled the launch of a potentially awesome service, but I think the internet's reaction was a bit of a knee-jerk (surprise surprise!).

I own one of the routers in question—the Linksys EA3500. I rolled my firmware back last night, and turned off automatic updating. Upon reading Cisco’s blog post tonight I assumed at first that I could update to the latest firmware and then verify that the browser-based management console is still active.

I owned a Linksys Router back when the company was Linksys and there was no Cisco in the picture. I have since moved on to other technology by a different company and something tells me that I'm glad I did.

Not that other companies in the future might not try to pull this same bullshit.

There is NO FUCKING WAY I want to ever have my Router Controls sitting on some 3rd party website where it takes a hacker w/ half a brain to bypass the controls - then have full-blown access to thousands of routers all at once.

You might as well toss any security you have on your Router out the window - as the nominal 128-bit standard encryption across the Web defeats the purpose of having said security - by hosting your control panels remotely.

Cisco - this is a bad idea. (what idiot thought this crap up?)

Just because there is a pop culture trend - does not mean that EVERYTHING must jump onto that band-wagon.

Hell - next thing you know - NetGear is going to announce (thru a firmware update) that your Router control panels will only be accessible thru Facebook.

I wonder how they came to the conclusion* that any customer would want external access to modify their home router settings. I've been able to do that for years on an old D-Link router and have never actually wanted to, and I'd consider myself more savvy than an average consumer.

* = assuming they're being honest about their cloud service intentions

So is there any evidence at all that the Entertainment Industry was involved in this process with Cisco? Sure seems like a tactic they would try to fight "Piracy". I just don't see why in the world Cisco would suddenly decide to implement something so asinine unless there was financial incentive and/or pressure from outside forces.

Cisco: the company that ships routers with known defects and expects you to pay a subscription fee to fix your brand new hardware. The only reason Linksys didn't start sucking the instant Cisco bought it is because they had a lot of forward momentum in the not sucking department. I'm amazed it took this long for Cisco's corporate bullshit to erode away the good qualities of Linksys.

Well, up until now I generally recommended to Linksys routers to co-workers. They were generally reliable and just worked unlike D-Link that fell off my recommended list way back for being garbage. Thankfully BestBuy/Futureshop carry more then D-Link/Linksys now so TrendNET and Buffalo routers are available locally.

Also, Cisco must have the brightest engineers in the world. Why in the world would you manage your router admin interface from the Internet?

[...]

Wow ! I cannot even imagine how they came up with this. Even things like LastPass where already hacked, and honestly Cisco is none to be very insecure. I would not trust them my home router ever.

My guess is the CEO or CTO was at the country club one day and all his tech buddies were talking about clouds. So he came back to work and started screaming "Moar Cloudz!!!!" at all his underlings. So everyone now has to figure out how to wedge cloud buzzwords into all their products, no matter how inappropriate, just like everybody has to have a mobile app for even the most inane tasks that could be done in the browser.

EDIT: P.S. Was LastPass ever conclusively known to have been hacked? The last incident I'm aware of was about a year ago, when they had detected some anomaly on their network, couldn't really figure out what happened, but decided to treat it like a hack to be safe and made everyone change their passwords.

The number of complete about-faces by tech companies continues to grow. Unfortunately, I don't take the positive view that it's great for companies to be listening to customer outcry. Instead, I think companies are becoming more ballsy about trying out completely fascist crap on their customers and seeing if it sticks. They probably have internal brainstorming sessions just to come up with crazy new crap to screw their customers for a buck. If it doesn't work, they just say "never mind".

Cisco recommends when the internet connection goes down and you need to troubleshoot your router and you can't access the cloud because your internet connection is down, just email Cisco. This brilliant idea brought to you buy the same geniuses who thought it would be great to put a router's interface in the cloud.

Wow! How to loose market share in one easy step. Note to self... strike Cisco from approved vendor list.

They apologized, and within 24 hours corrected the mistake.

All vendors make mistakes. But a good vendor is very responsive when they make one.

Granted, their apology basically said "we had customers agreeing to an TOS even WE don't follow", but they also said they're going to fix that, too.

If they just said "fuck you", and didn't do anything, I could see you striking them from your list of vendors to do bus with going forward. But, I think they handled this well. It's a bit disturbing that they roll out something like this without getting a feel for how folks will take it.

But, shit...compared to Sony's PS3 "other OS" firmware update ... I think Cisco did some good damage control on this.

The number of complete about-faces by tech companies continues to grow. Unfortunately, I don't take the positive view that it's great for companies to be listening to customer outcry. Instead, I think companies are becoming more ballsy about trying out completely fascist crap on their customers and seeing if it sticks. They probably have internal brainstorming sessions just to come up with crazy new crap to screw their customers for a buck. If it doesn't work, they just say "never mind".

This.

If Cisco should be chastised for anything, it's this. Too many companies just do shit w/o getting a feel for how customers would react. They don't seem to put themselves in their customers shoes.

"Let's see ... the news just reported that companies can't get access to Amazon Cloud due to natural disasters causing outages."

"Dude, that reminds me, we should make our users access our Cloud to tweak their routers."

That this got to the point of going live at all shows a profound stupidity in their chain of command. The entire idea of "cloud router configuration" is so braindead that you have to seriously wonder what other completely stupid things they are doing that we don't know about. I'm not going to trust my security to a company like that.

For a while now, Cisco / Linksys routers and switches have been going downhill, particularly consumer hardware and entry-level business hardware from Cisco. If it doesn't cost at least $3,500, it's not running IOS and it's almost certainly garbage.

I wonder if disabling the cloud functionality actually disables it or if it then logs in to the cloud as a guest with something like a MAC Address for a 'unique' identifier. In theory they could still log everything your router does in this manner and it starts to resemble the Sony root-kit debacle.

They can use these logs for any number of reasons, to sell to advertisers, mass surveillance etc.

All of this is speculation of course but security experts should be on the lookout for this sort of behaviour going forward. It's a shame really. I'll err on the side of caution and join the rest of you in not buying or recommending anymore Linksys products.

kcisobderf wrote:

Mondrian wrote:

My take on what the thought process was:

1) Sales revenue for home routers is down or slowing2) Market research shows that most people that want a router already have one and are satisfied with 802.11g speeds and see no need for 802.11ac or even 802.11n.3) Management dictates that a solution be found. "Why can Apple make money on the sale of the device and the content afterwards? We carry 99% of the traffic on the internet! How can we monetize that?"4) Marketing strategist comes up with Connect Cloud to monetize usage after selling the device. To make it work, it has to be on as many devices as possible, so they decide to push this to all capable devices instead of just trying to sell it on new units.

the rest you know.

AND, the NSA won't need to maintain closets in AT&T facilities. Just take a Cisco VP out to lunch!

Can't say I'm surprised, given this is the same company that won't even let you use their subnetting calculator without a SmartNet account (even when their own Cisco Press CCNA training books give you the URL and don't mention a thing about it not being free).

I really don't see how CCC even benefits Cisco. a) It will cost them money to maintain the servers.b) If the servers go go down millions of customers will be pissed.c) If they really do collect data about what their customers are doing it makes them subject to a fantastic amount of data protection regulation (especially in the EU) which is expensive when you have to demonstrate compliance to the regulators.

So, yeah. It doesn't benefit customers, and it doesn't benefit Cisco. WTF were they thinking?

they could sell your data for marketing purposes, and send your internet usage history to rightsholders. Also they think you are dumb sheep.

Wow! How to loose market share in one easy step. Note to self... strike Cisco from approved vendor list.

They apologized, and within 24 hours corrected the mistake.

All vendors make mistakes. But a good vendor is very responsive when they make one.

Granted, their apology basically said "we had customers agreeing to an TOS even WE don't follow", but they also said they're going to fix that, too.

If they just said "fuck you", and didn't do anything, I could see you striking them from your list of vendors to do bus with going forward. But, I think they handled this well. It's a bit disturbing that they roll out something like this without getting a feel for how folks will take it.

But, shit...compared to Sony's PS3 "other OS" firmware update ... I think Cisco did some good damage control on this.

Good damage control can be a very good skill to possess, yes...after an honest mistake, or something that resulted from unforeseen circumstances.

After a making deliberate, calculated decision that wound up exploding in your face? It can make your customer base doubt your motives, which is exactly what's happening here (and also what happened with Sony and the "Other OS" debacle...AND their utterly incompetent security policies, which led to the PSN breach).

Responsiveness is crucial, absolutely. It's not just the speed of your response that matters, though. It's the quality of said response, along with your speed, that determines whether you're viewed as a company who thinks things through...or just one that seems to make their decisions in a vacuum and doesn't care one whit about the customers who purchase their products (or reality in general).

That this got to the point of going live at all shows a profound stupidity in their chain of command. The entire idea of "cloud router configuration" is so braindead that you have to seriously wonder what other completely stupid things they are doing that we don't know about. I'm not going to trust my security to a company like that.

I just said they did a good job damage-controlling, not that their idea was a good one to begin with.

I admit that when companies do stuff like this to me, it makes me question what they're going to do in the future w/o my consent.

From TIVO's rolling in updates automatically that would reduce functionality to PS3's to ... well, it seems everything is trying to make your life easier by auto-updating, then once that control is taken out of your hands, they violate your trust by doing stupid things with the auto-updates.

My guess is the CEO or CTO was at the country club one day and all his tech buddies were talking about clouds. So he came back to work and started screaming "Moar Cloudz!!!!" at all his underlings. So everyone now has to figure out how to wedge cloud buzzwords into all their products, no matter how inappropriate, just like everybody has to have a mobile app for even the most inane tasks that could be done in the browser.

.

That's basically what just happened at the University of Virginia. A few board members engineered the ouster of the school's president for not having enough "Strategic Dynamism". Which is apparently the management consulting theory that a tyrannical leader flailing around and chasing shiny objects is what you need to be successful. But hey, reading a few Op Eds and articles was more than enough research for those board members to consider themselves experts. And as usual, even after being forced to un-oust the president, the clown responsible got reappointed

But yeah, all the cool companies are basing their strategery on the cloud. Customers are dying to get their hands on the cloud, just like they were dying to get a hold of 3D TVs and those cool glasses.

Companies that even consider this as a viable option should not be trusted with my data. Or how I connect to the internet. Personally I don't like to deal with companies that feel they need to know how I use the product. Think back to the <a href="http://en.wikipedia.org/wiki/DIVX">DIVX</a>, (not to be confused with the player format), and how you had to rent additional viewing after a certain number of plays. Cisco, watch out you have shown your true feelings towards the home users. Your corporate attitude tells us that you do not care for the home user. You have bought out a company that did care about putting out a good product to the home user and let them use it as they saw fit, and now you want to limit that down to a corporate view of what we should see, what we should be able to visit. You want to censor the internet. This is not your job.

Cisco made an error, I'll definitely agree to that. I have no idea which lawyer came up with that TOS but I'll be that their employment has been reconsidered after this debacle. But, with all due respect to Cisco/Linksys, I have to ask: WTF?

Isn't the function of CCC long been replicable? A dynamic DNS, enabling remote admin, and making sure you have a strong password? On that, this is mostly an enterprise feature, allowing admins to remote-config a device within their own network from large distances (say, a multi-national corp who needs to change the default DHCP assignments for a store on the opposite coast). It has very little place among home users. Furthermore, it's a horrendous security risk. A remote admin function would be subject to hacking only for that specific network. Hacking CCC would yield tracking for thousands of routers. It's almost like Cisco just painted a huge bulls-eye on their own backs.

Hmm it's too late for that the idea that they would begin to think what they was doing would be okay proves they have zero respect for privacy. It also proves they think their average customers are complete uninformed morons that would never notice. Even if I am a moron I do have sense enough to read key points in their TOS. I already replaced my router and I'll never use their products again.

It's a damn shame because I really liked my router... I mean come the hell on why would they make a TOS that gives them the right to keep tabs on you. The fact they changed it is completely irrelevant and does not change the fact that they did it in the first place.

It must have been government regulation that stopped them... no wait... it must have been "net neutrality" that stopped them, yeah that's it!... no wait... maybe it was those new laws that say you can install other firmware to replace the one on your router... no wait that's not it...

Never let it be said that Ars commenters are the brightest bulbs in the box.

After their outrageous intrusion into and lockout from a sensitive network; followed by three days of deliberate runarounds, deliberate delaying tactics, deliberate attempts to offer false explanations, deliberate failures to follow through on promised callbacks, and overall DELIBERATE maltreatment of a loyal customer of 10 years... I am done, done, done done DONE with Cisco.

Ten hours on the phone and dealing with an angry client were too many and too much by far.

I will not ever buy another new Cisco product unless it cannot be avoided in a client's interests.

I will not ever again advise any of my hundreds of clients to buy Cisco or Linksys products. I will only recommend and use competing products.